Closed Cyb3rSn0rlax closed 2 years ago
Hey @H1L021 Thank you for the PR.
What are your thoughts on adding event 4611 to the data source / component: Logon Session / Logon Session Metadata? I understand this event is not related to the creation of a logon session, but it describes the registration of a trusted logon process that will handle the logon process. Also, since the the event provides context of the user that registered the trusted logon process, what are your thoughts on adding another yaml file with the relation: user --> registered --> logon process? This new relationship would be also mapped to the Logon Session / Logon Session Metadata
Regarding the python script. It is really cool :D I was thinking on doing something similar LOL. I just tested it and it works. Just a quick question: Would the script work when creating relationships in a year different than 2022?
I am merging the pull request and open issues for the comments/questions above since the current content is okay and we can update it later.
Best, Jose
Adding Logon Process Trusted
The event id 4611 for example can be helpful in detecting rogue logon process like Rubeus'
User32LogonProcesss
with triple 'S'Adding script to generate a UUID for future contributions
The script generate_uuid.py will generate a new UUID based on the already existing ones